ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » ALTERNATE_USER_AUTHORITY - Connecting with another UserID

Post new topic  Reply to topic Goto page 1, 2  Next
 ALTERNATE_USER_AUTHORITY - Connecting with another UserID « View previous topic :: View next topic » 
Author Message
ASkydiver
PostPosted: Wed Nov 16, 2011 8:43 am    Post subject: ALTERNATE_USER_AUTHORITY - Connecting with another UserID Reply with quote

Newbie

Joined: 16 Nov 2011
Posts: 8

Hi All,

I'm new to using MQ Series and I'm trying to get the first simple stage working.

Here's my environment, running Windows XP - SP3 on my development PC, I've loaded Websphere MQ fix pack 7.0.1.6. I'm using Visual Studio 2010 and writting in C# using .NET 4.0 framework. Our MQ Administrator has setup a Host / Port / QueueManager / Channel and requesting and response queues. A windows service account has been created for the use of the queues.

I've tried 2 different ways of creating the QueueManager (see below) but am getting the error 2537 - MQRC_CHANNEL_NOT_AVAILABLE. Our MQ Administrator has told me that I'm trying to make the connection with my Windows UserID and not the service account that was created for this. I've tried to use the "Hashtable" option (which you'll see has been commented out), I've also tried the "Environment" option, to no avail.

Would someone be able to give me some direction as how to connect using the service account?

Code:

using System;
using System.Collections;
using System.Collections.Generic;
using System.ComponentModel;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using IBM.WMQ;

namespace LoanAppStatusMonitor {
    public partial class LoanAppStatusMonitor : Form {
        bool runManuallyFlag = true;
        SQLEngine sqlEngine = new SQLEngine ();
        SQLServerConfig sqlServerConfig = new SQLServerConfig ();
        Hashtable MQProperties = new Hashtable ();
        MQQueueManager queueManager;

        public LoanAppStatusMonitor (string[] runTimeArgs) {
            InitializeComponent ();
            if (runTimeArgs.Length > 0) {
                runManuallyFlag = (runTimeArgs [0] == "1" ? true : false);
                sqlServerConfig.ServerNo = Convert.ToInt32 (runTimeArgs [1]);
            }

            if (!runManuallyFlag) {
                button_start.Visible = false;
            }
            sqlServerConfig.ClarifyAppSrv = Properties.Settings.Default.ClarifyAppSrv;
            sqlServerConfig.HeartBeatFile = Properties.Settings.Default.HeartBeatFile;

            //MQProperties = new Hashtable ();
            //MQProperties.Add (MQC.HOST_NAME_PROPERTY, Properties.Settings.Default.MQHost);
            //MQProperties.Add (MQC.PORT_PROPERTY, Properties.Settings.Default.MQPort);
            //MQProperties.Add (MQC.TRANSPORT_PROPERTY, 1);
            //MQProperties.Add (MQC.CHANNEL_PROPERTY, Properties.Settings.Default.MQChannelName);
            //MQProperties.Add (MQC.USER_ID_PROPERTY, Properties.Settings.Default.MQUserID);
            //MQProperties.Add (MQC.PASSWORD_PROPERTY, Properties.Settings.Default.MQUserPassword);
            //MQProperties.Add (MQC.MQOO_ALTERNATE_USER_AUTHORITY, Properties.Settings.Default.MQUserID);

            MQEnvironment.Hostname = Properties.Settings.Default.MQHost;
            MQEnvironment.Port = Properties.Settings.Default.MQPort;
            MQEnvironment.Channel = Properties.Settings.Default.MQChannelName;
            MQEnvironment.UserId = Properties.Settings.Default.MQUserID;
            MQEnvironment.Password = Properties.Settings.Default.MQUserPassword;
            MQEnvironment.properties.Add (MQC.MQOO_ALTERNATE_USER_AUTHORITY, Properties.Settings.Default.MQUserID);
            MQEnvironment.properties.Add (MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES);

        }

        private void button_sendToMF_Click (object sender, EventArgs e) {
            this.Cursor = Cursors.WaitCursor;
            try {
                MFConnect ();
            } catch (Exception ex) {
                lbl_MFFeedback.Text = ex.Message;
                lbl_MFFeedback.Location = new Point ((this.Width - lbl_MFFeedback.Width) / 2, 100 );
                lbl_MFFeedback.Visible = true;
            }
            this.Cursor = Cursors.Default;
        }

        public MQQueueManager MFConnect () {
            try {
                // Attempt the connection
                //queueManager = new MQQueueManager (Properties.Settings.Default.MQqueueManagerName, MQProperties);
                queueManager = new MQQueueManager (Properties.Settings.Default.MQqueueManagerName, Properties.Settings.Default.MQChannelName, Properties.Settings.Default.MQHost + "(" + Properties.Settings.Default.MQPort + ")");
                txtBx_MFFeedback.Text = "Connected Successfully";
            } catch (MQException mexc) {
                throw new Exception ("Queue Manager Name: " + Properties.Settings.Default.MQqueueManagerName + "\r\nUserID: " + Properties.Settings.Default.MQUserID + "\r\nHost: " + Properties.Settings.Default.MQHost + "\r\nPort: " + Properties.Settings.Default.MQPort + "\r\nChannel: " + Properties.Settings.Default.MQChannelName + "\r\n\r\nError ReasonCode: " + mexc.ReasonCode + "\r\nError Message: " + mexc.Message + "\r\n\r\nStackTrace: " + mexc.StackTrace, mexc);
            }
            // For now, return the queueManager to use in reading/writing messages next
            return queueManager;
        }
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Nov 16, 2011 9:16 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

What does MQC.TRANSPORT_MQSERIES resolve to? If you're trying to establish a client connection I would have expected MQC.TRANSPORT_MQSERIES_CLIENT as indicated here

I wonder if it's defaulting to a binding connection which only uses the running app id.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
ASkydiver
PostPosted: Wed Nov 16, 2011 9:50 am    Post subject: Reply with quote

Newbie

Joined: 16 Nov 2011
Posts: 8

Thank you for the reply.

MQC.TRANSPORT_MQSERIES resolves to a string of "MQ Series".

I've tried what you suggested after reading what you indicated, but am still getting the same error.

I'm not to sure what you mean by "defaulting to a binding connection which only uses the running app id". Is there anything that I could do to check that?
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Nov 16, 2011 10:16 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

ASkydiver wrote:
I'm not to sure what you mean by "defaulting to a binding connection which only uses the running app id". Is there anything that I could do to check that?


If you're now explicitly specifying a client connection instead of a bindings then it's not doing that.

Aside from that your code looks like it should do what you want, but .NET is not my strongest suit. Someone more use will be along in a minute.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
ASkydiver
PostPosted: Wed Nov 16, 2011 10:47 am    Post subject: Reply with quote

Newbie

Joined: 16 Nov 2011
Posts: 8

Thank you for your replies.

I look forward to any help with regards to this.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Nov 16, 2011 10:57 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

MQ's notion of Alternate Authority is not what you think it is, and is not relevant to MQ Connection time.

You need to Log In as The Right User.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed Nov 16, 2011 11:16 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.

Did you research mq reason code 2537?

http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.amqzao.doc%2Ffm20890_.htm
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Nov 16, 2011 11:34 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

bruce2359 wrote:
Did you research mq reason code 2537?

http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.amqzao.doc%2Ffm20890_.htm


I suspect (given the reason code and the admin's quoted response in the OP) that there's a security exit that will only pass the service id.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
ASkydiver
PostPosted: Wed Nov 16, 2011 12:40 pm    Post subject: Reply with quote

Newbie

Joined: 16 Nov 2011
Posts: 8

Thank you all for all the comments so far.

As a newbie, I'm not completely au fait with the whole MQ environment, but learning quickly; when the MQ administrator setup the channel/host/port/queuemanager, the IP addresses for the development PC's and final production servers were requested, also a particular Windows account and group were requested. Would this lead to a different thinking of the possible issue?

mqjeff wrote:
MQ's notion of Alternate Authority is not what you think it is, and is not relevant to MQ Connection time.

You need to Log In as The Right User.


mqjeff Are you suggessting that I log in to the Windows Network on my DEV PC with the "Right User", if so, the doesn't make much sense, as that is a service account to be used when this application goes into production. The MQ Admin mentioned that the security had been set to ignore passwords (I'm not to sure what that means from the MQ Admin point of view), would the MQ Admin have to add my network account ID to the MQ Manager?

I've asked our MQ Admin to check the status of the Channel as implied by
bruce2359 wrote:

Did you research mq reason code 2537?

http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.amqzao.doc%2Ffm20890_.htm

and the channel is not in a "stopped state", and none of the "maximum allowable limits" have been reached.

I'm busy following up with the MQ Admin about the possibility of a "Channel security exit program" on the channel definition.
Back to top
View user's profile Send private message
ASkydiver
PostPosted: Wed Nov 16, 2011 1:15 pm    Post subject: Reply with quote

Newbie

Joined: 16 Nov 2011
Posts: 8

I've now confirmed with the MQ Admin, they do have a "Channel security exit program" on the channel definition. This has been setup to reject any connection if the user id is not authenticated correctly.

So I'm back to step 1, how do I impersonate the correct user from a .NET environment without having to log into the network with the service account?

We do have other java applications that connect via the same procedure and don’t have the issue that I’m having.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Nov 16, 2011 1:31 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

ASkydiver wrote:
We do have other java applications that connect via the same procedure and don’t have the issue that I’m having.


Java & .NET provide user credentials in 2 separate ways; there's a lot of discussion on this forum about that!

Is the service user id you're trying to use local to the queue manager's machine or a domain account, i.e. is it properly qualified?

Are any additional diagnostics available from the channel security exit? Such things often log failed access attempts for audit purposes & it may be useful to see what the exit is receiving to validate and compare it against what you believe you're supplying.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mvic
PostPosted: Wed Nov 16, 2011 2:23 pm    Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2080

ASkydiver wrote:
So I'm back to step 1, how do I impersonate the correct user from a .NET environment without having to log into the network with the service account?

I might hope that your admins, who seem to have set up the security of this MQ system, will have an answer for this, from their policy documents.

Or it's possible there is no answer, and you just have to run your app under the ID it's intended to be run under. Is that not possible? Please explain why.
Back to top
View user's profile Send private message
ASkydiver
PostPosted: Wed Nov 16, 2011 2:24 pm    Post subject: Reply with quote

Newbie

Joined: 16 Nov 2011
Posts: 8

Vitor wrote:

Is the service user id you're trying to use local to the queue manager's machine or a domain account, i.e. is it properly qualified?

The service user id is a domain account.

Vitor wrote:

Are any additional diagnostics available from the channel security exit? Such things often log failed access attempts for audit purposes & it may be useful to see what the exit is receiving to validate and compare it against what you believe you're supplying.

Here are some snippets from the log file. "dv43xxx" is my windows user id and "losuser" is the service user id. I hope this is enough of the log file.

2011-11-16|09:55:32|Connection refused, Channel [LOS.SECURE.CHANNEL] ConName [10.xxx.xx.xxx] User [dv43xxx] not in positive list [losuser,]
2011-11-16|09:55:32|Channel closed [LOS.SECURE.CHANNEL] Connection Name [10.xxx.xx.xxx]
Back to top
View user's profile Send private message
ASkydiver
PostPosted: Wed Nov 16, 2011 2:38 pm    Post subject: Reply with quote

Newbie

Joined: 16 Nov 2011
Posts: 8

mvic wrote:
Or it's possible there is no answer, and you just have to run your app under the ID it's intended to be run under. Is that not possible? Please explain why.

This is where my lack of MQ experience may show, I'm in the development phase of the program, so to make the connection to the QueueManager I set the

MQEnvironment.UserId = Properties.Settings.Default.MQUserID;
MQEnvironment.Password = Properties.Settings.Default.MQUserPassword;


where "Properties.Settings.Default.MQUserID" = "losuser"and "Properties.Settings.Default.MQUserPassword" = "password" but when looking at the log file from the MQ audit, it's showing my windows user id of "dv43xxx". I've not set any MQEnvironment variable with my windows user id.

I really appreciate everyone's input so far.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Nov 16, 2011 2:59 pm    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

You can NOT change the identity of the user from WITHIN your program.

You would not expect Microsoft Word to allow you to pretend to be the domain administrator, would you?

You *must* ensure that your *program* is *running* as the userid that needs to connect.

The admins who have configured your MQ security exits appear fully qualified to understand your needs, and to provide you with a suitable mechanism to execute your code to meet your development, test, and production requirements.

You should be talking to THEM more.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » ALTERNATE_USER_AUTHORITY - Connecting with another UserID
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.